Chapter 2 Virtual Private Networking Basics



Similar documents
APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Chapter 4 Virtual Private Networking

Chapter 8 Virtual Private Networking

VPN. VPN For BIPAC 741/743GE

The BANDIT Products in Virtual Private Networks

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Introduction to Security and PIX Firewall

Cisco Which VPN Solution is Right for You?

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

IP Security. Ola Flygt Växjö University, Sweden

Chapter 6 Basic Virtual Private Networking

Chapter 5 Virtual Private Networking Using IPsec

VPNC Interoperability Profile

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CCNA Security 1.1 Instructional Resource

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Case Study for Layer 3 Authentication and Encryption

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Virtual Private Network and Remote Access Setup

ISG50 Application Note Version 1.0 June, 2011

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Branch Office VPN Tunnels and Mobile VPN

Chapter 6 Virtual Private Networking

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Understanding the Cisco VPN Client

Implementing and Managing Security for Network Communications

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Network Security. Lecture 3

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

This section provides a summary of using network location profiles to identify network connection types. Details include:

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Firewalls and Virtual Private Networks

Firewall Troubleshooting

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

High Performance VPN Solutions Over Satellite Networks

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

Application Note: Onsight Device VPN Configuration V1.1

How To Industrial Networking

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Guideline for setting up a functional VPN

VPN Wizard Default Settings and General Information

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Virtual Private Networks

IPSec Pass through via Gateway to Gateway VPN Connection

Virtual Private Network and Remote Access

Configure IPSec VPN Tunnels With the Wizard

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

SonicOS Enhanced 3.2 IKE Version 2 Support

21.4 Network Address Translation (NAT) NAT concept

Virtual Private Network (VPN)

Security Engineering Part III Network Security. Security Protocols (II): IPsec

LinkProof And VPN Load Balancing

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Lecture 17 - Network Security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Overview. Protocols. VPN and Firewalls

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Securing IP Networks with Implementation of IPv6

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Technical papers Virtual private networks

Chapter 49 IP Security (IPsec)

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Cisco RV 120W Wireless-N VPN Firewall

Configure VPN between ProSafe VPN Client Software and FVG318

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

VPN Technologies: Definitions and Requirements

Using IPSec in Windows 2000 and XP, Part 2

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

IBM enetwork VPN Solutions

Chapter 9 Monitoring System Performance

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

OfficeConnect Internet Firewall VPN Upgrade User Guide

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Security vulnerabilities in the Internet and possible solutions

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Transcription:

Chapter 2 Virtual Private Networking Basics What is a Virtual Private Network? There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data. A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS). A key aspect of data security is that the data flowing across the network is protected by encryption technologies. Private networks lack data security, which can allow data attackers to tap directly into the network and read the data. IPSec-based VPNs use encryption to provide data security, which increases the network s resistance to data tampering or theft. IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive. VPNs are traditionally used for: Intranets: Intranets connect an organization s locations. These locations range from the headquarters offices, to branch offices, to a remote employee s home. Often this connectivity is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the shortcomings of each limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because of this, organizations are moving their networks to the Internet, which is inexpensive, and using IPSec to create these networks. Virtual Private Networking Basics 2-1

Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization s modem pool is one method of access for remote workers, but it is expensive because the organization must pay the associated long distance telephone and service costs. Remote access VPNs greatly reduce expenses by enabling mobile workers to dial a local Internet connection and then set up a secure IPSec-based VPN communications to their organization. Extranets: Extranets are secure connections between two or more organizations. Common uses for extranets include supply-chain management, development partnerships, and subscription services. These undertakings can be difficult using legacy network technologies due to connection costs, time delays, and access availability. IPSec-based VPNs are ideal for extranet connections. IPSec-capable devices can be quickly and inexpensively installed on existing Internet connections. What Is IPSec and How Does It Work? IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit. IPSec Security Features IPSec is the most secure method commercially available for connecting network sites. IPSec was designed to provide the following security features when transferring packets across networks: Authentication: Verifies that the packet received is actually from the claimed sender. Integrity: Ensures that the contents of the packet did not change in transit. Confidentiality: Conceals the message content through encryption. 2-2 Virtual Private Networking Basics

IPSec Components IPSec contains the following elements: Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. Authentication Header (AH): Provides authentication and integrity. Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. Encapsulating Security Payload (ESP) ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection. IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended receiver. ESP also provides all encryption services in IPSec. Encryption translates a readable message into an unreadable format to hide the message content. The opposite process, called decryption, translates the message content from an unreadable format to a readable message. Encryption/ decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication, called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header. Figure 2-1 Virtual Private Networking Basics 2-3

The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP. AH also provides optional anti-replay protection, which protects against unauthorized retransmission of packets. The authentication header is inserted into the packet between the IP header and any subsequent packet contents. The payload is not touched. Although AH protects the packet s origin, destination, and contents from being tampered with, the identity of the sender and receiver is known. In addition, AH does not protect the data s confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH and ESP can be used together. In the following table, IP HDR represents the IP header and includes both source and destination IP addresses. Figure 2-2 Security Association IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs, which together provide a protected, full-duplex data channel. The SAs allow an enterprise to control exactly what resources may communicate securely, according to security policy. To do this an enterprise can set up multiple SAs to enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and business partners. 2-4 Virtual Private Networking Basics

Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, but transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly. A host is a device that sends and receives network traffic. Transport Mode: The transport mode IPSec implementation encapsulates only the packet s payload. The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged) and the processed packet payload. Transport mode does not shield the information in the IP header; therefore, an attacker can learn where the packet is coming from and where it is going to. Figure 2-1 and Figure 2-2 above show a packet in transport mode. Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and deciphering it, as well as knowing who the packet is from and where it is going. Note:.AH and ESP can be used in both transport mode and tunnel mode. Figure 2-3 Virtual Private Networking Basics 2-5

Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other. IKE manages the process of refreshing keys; however, a user can control the key strength and the refresh frequency. Refreshing keys on a regular basis ensures data confidentiality between sender and receiver. Understand the Process Before You Begin This manual provides examples of how to configure a secure IPSec VPN tunnel. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR, Inc. is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard. The examples in this manual follow the addressing and configuration mechanics defined by the VPN Consortium. Additional information regarding inter-vendor interoperability may be found at http://www.vpnc.org/interop.html. It is a good idea to gather all the necessary information required to establish a VPN before you begin the configuration process. You should understand whether the firmware is up-to-date, all of the addresses that will be necessary, and all of the parameters that need to be set on both sides. Try to understand any incompatibilities before you begin, so that you minimize any potential complications which may arise from normal firewall or WAN processes. If you are not a full-time system administrator, it is a good idea to familiarize yourself with the mechanics of a VPN. The brief description below in this document will help. Other good sources include: The NETGEAR VPN Tutorial http://www.netgear.com/planetvpn/pvpn_2.html The VPN Consortium http://www.vpnc.org/ The VPN bibliography in Additional Reading on page 2-12. 2-6 Virtual Private Networking Basics

VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics. Network Interfaces and Addresses The VPN gateway is aptly named because it functions as a gatekeeper for each of the computers connected on the Local Area Network behind it. In most cases, each gateway will have a public facing address (WAN side) and a private facing address (LAN side). These addresses are referred to as the network interface in documentation regarding the construction of VPN communication. Please note that the addresses used in the example. Interface Addressing This document uses example addresses provided the VPN Consortium. It is important to understand that you will be using addresses specific to the devices that you are attempting to connect via IPSec VPN. 10.5.6.0/24 172.23.9.0/24 VPNC Example Network Interface Addressing LAN IP 10.5.6.1 Gateway A 14.15.16.17 WAN IP 22.23.24.25 WAN IP Gateway B LAN IP 172.23.9.1 Figure 2-4 It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Virtual Private Networking Basics 2-7

Table 2-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 It will also be important to know the subnet mask of both gateway LAN Connections. Use the worksheet in Appendix A to gather the necessary address and subnet mask information to aid in the configuration and troubleshooting process. Table 2-2. Subnet Addressing Gateway LAN or WAN Interface Name Example Subnet Mask Gateway A LAN (Private) Subnet Mask A 255.255.255.0 Gateway B LAN (Private) Subnet Mask B 255.255.255.0 Firewalls It is important to understand that many gateways are also firewalls. VPN tunnels cannot function properly if firewall settings disallow all incoming traffic. Please refer to the firewall instructions for both gateways to understand how to open specific protocols, ports, and addresses that you intend to allow. 2-8 Virtual Private Networking Basics

Setting Up a VPN Tunnel Between Gateways An SA, frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers, firewalls, gateways) to trust each other and communicate securely as they pass information over the Internet. Figure 2-5 The SA contains all the information necessary for Gateway A to negotiate a secure and encrypted communication stream with Gateway B. This communication is often referred to as a tunnel. The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways. Virtual Private Networking Basics 2-9

Each gateway must negotiate its Security Association with another gateway using the parameters and processes established by IPSec. As illustrated below, the most common method of accomplishing this process is via the Internet Key Exchange (IKE) protocol which automates some of the negotiation procedures. Alternatively, you can configure your gateways using manual key exchange, which involves manually configuring each paramter on both gateways. Figure 2-6 VPN Gateway IPSec Security Association IKE VPN Tunnel Negotiation Steps 1) Communication request sent to VPN Gateway 2) IKE Phase I authentication 3) IKE Phase II negotiation 4) Secure data transfer 5) IPSec tunnel termination VPN Gateway The IPSec software on Host A initiates the IPSec process in an attempt to communicate with Host B. The two computers then begin the Internet Key Exchange (IKE) process. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs. IKE Phase II. a. The two parties negotiate the encryption and authentication algorithms to use in the IPSec SAs. b. The master key is used to derive the IPSec keys for the SAs. Once the SA keys are created and exchanged, the IPSec SAs are ready to protect user data between the two VPN gateways. 2-10 Virtual Private Networking Basics

Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out. VPNC IKE Security Parameters It is important to remember that both gateways must have the identical parameters set for the process to work correctly. The settings in these examples follow the examples given for Scenario 1 of the VPN Consortium. VPNC IKE Phase I Parameters The IKE Phase 1 parameters used: Main mode TripleDES SHA-1 MODP group 1 pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Virtual Private Networking Basics 2-11

Testing and Troubleshooting Once you have completed the VPN configuration steps you can use computers, which are located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the NETGEAR gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: Parameters may be configured differently on Gateway A vs. Gateway B. Two LANs set up with similar or overlapping addressing schemes. So many required configuration parameters mean errors such as mistyped information or mismatched parameter selections on either side are more likely to happen. Additional Reading Building and Managing Virtual Private Networks, Dave Kosiur, Wiley & Sons; ISBN: 0471295264. Firewalls and Internet Security: Repelling the Wily Hacker, William R. Cheswick and Steven M. Bellovin, Addison-Wesley; ISBN: 0201633574. VPNs A Beginners Guide, John Mains, McGraw Hill; ISBN: 0072191813. [FF98] Floyd, S., and Fall, K., Promoting the Use of End-to-End Congestion Control in the Internet. IEEE/ACM Transactions on Networking, August 1999. Relevant RFCs listed numerically: [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. [RFC 2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401, November 1998. [RFC 2407] D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, November 1998. 2-12 Virtual Private Networking Basics

[RFC 2474] K. Nichols, S. Blake, F. Baker, D. Black, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers, December 1998. [RFC 2475] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, An Architecture for Differentiated Services, December 1998. [RFC 2481] K. Ramakrishnan, S. Floyd, A Proposal to Add Explicit Congestion Notification (ECN) to IP, January 1999. [RFC 2408] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol (ISAKMP). [RFC 2409] D. Harkins, D.Carrel, Internet Key Exchange (IKE) protocol. [RFC 2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol. Virtual Private Networking Basics 2-13

2-14 Virtual Private Networking Basics

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information